The Federal Information Security Management Act has been criticized as a paperwork exercise that has cost agencies millions of dollars without improving security. But a handful of officials beg to differ: They say the problem is not the tool but how it has been used.

“I don’t think there is a problem with FISMA,” said David Stender, chief information security officer at the Internal Revenue Service. “I think there was a problem with implementing FISMA.”

Agencies have focused on complying with requirements that are not mandatory rather than using the requirements to improve the security status of their systems. That should not be surprising, Stender said, adding, “Compliance is the easiest way to meet requirements.”

But a number of agencies are moving beyond checklist compliance and improving security under FISMA. A handful of officials described their efforts today at the RSA Conference.

In addition to compliance, “we are also focused on risk,” Stender said.

Congress has been considering updating or replacing FISMA, and the Office of Management and Budget has issued new guidelines for FISMA compliance that put more emphasis on continuous monitoring of systems rather than on periodic snapshots.

Nevertheless, “we don’t have to stand still and wait for legislation,” Stender said.

“Within FISMA, there are controls that talk about the need for continuous monitoring,” said Kevin Cox, information security technology team leader at the Justice Department.